Ask a Question

INFORMATIONAL: ROBOT Vulnerability

INFORMATION

Description

The ROBOT vulnerability (https://thehackernews.com/2017/12/bleichenbacher-robot-rsa.html) affects web servers that are configured to use RSA encryption key exchange. By exploiting the vulnerability, an attacker can recover the session key used for one or more sessions, and thereby decrypt communications to and from the web server.

There are two possible options to mitigate the vulnerability. If your web server uses or is front-ended by hardware and/or software listed in the above announcement, you can apply the upgrades provided by the vendors. Alternatively, you can disable ciphersuites that employ RSA encryption key exchange (any ciphersuites whose name starts with “TLS_RSA”). DigiCert recommends applying both options, because RSA encryption key exchange does not provide forward secrecy. Forward secrecy means that every session utilizes a unique independent session key, so that even if an attacker succeeds in compromising one session key, they cannot leverage that information to compromise other session keys.

Note that neither the vulnerability nor the mitigations affect the TLS certificate itself. Even if an attacker leveraged ROBOT against your web server, they would not be able to obtain the private key of the server, only session keys. There is no need to replace TLS certificates, nor should there be any concern about compatibility between the mitigations and your TLS certificate. Disabling RSA key exchange ciphersuites means that the private key associated with your TLS certificate will not be used to encrypt session keys.

Legal

DigiCert is the world’s premier provider of high-assurance digital certificates—providing trusted SSL, private and managed PKI deployments, and device certificates for the emerging IoT market. Since our founding almost fifteen years ago, we’ve been driven by the idea of finding a better way. A better way to provide authentication on the internet. A better way to tailor solutions to our customer’s needs. Now, we’ve added Symantec’s experience and talent to our legacy of innovation to find a better way to lead the industry forward, and build greater trust in identity and digital interactions